I've been round about the houses with this one for days, i've not found a solution yet that works. I haven't found a way to block the HTTP access to the management plane either, i had to give up and disable it completely.
In my show run:
ip access-list extended DENIED_SSH_ACCESS
deny tcp any host 192.168.1.2 eq 22
permit ip any any
I've tried putting it in:
interface Dialer0
ip access-group DENIED-SSH-ACCESS in
this still allows ssh access from the wan into the router.
I've also tried putting it in:
GigabiteEthernet8 and also in interface Ethernet0.10, again doesn't block ssh access.
I'm not going to attempt to put it into VLAN1, as i'm pretty sure that's my internal network and that's going to lock me out.
How do i completely and totally turn off SSH access to the management plane from WAN on the Cisco 890?
I've been through the Managing Plane Protection cisco document, but the commands literally don't work. For instance the syntax Ethernet0/0 doesn't work, x/y syntax just doesn't seem to work at all on this router. i've tried Ethernet 0 0 i've tried Ethernet0/1-4 to specify ranges too.
The instructions just don't work on this router.
E.g. one recommendation i've seen is to allow access to the management plane via a specific interface, the Cisco recommendation is:
control-plane host
management-interface GigabitEthernet 0/1 allow ssh https
However when i run this, i get:
AtlasNet(config-cp-host)#management-interface GigabitEthernet 0/1 allow ssh https
^
% Invalid input detected at '^' marker.
AtlasNet(config-cp-host)#
And if i try:
control-plane host
management-interface GigabitEthernet0 allow ssh https
Then my ssh connection going through GigabitEthernet0 freezes and i have to reboot the router, which makes no sense to me as GigabitEthernet0 should be the only interface unaffected by the command...
Does anyone know how to disable wan SSH access to the management plane?